feat(auth): add Authelia for OIDC

Use Authelia in an attempt to replace Keycloak. Kanidm is another alternative we're going to try later.
vehagn · Sep 9, 2024 · 5a53d28 · 5a53d28
1 parent c44d39b
commit 5a53d28
Show file tree

Hide file tree

Showing 6 changed files with 84 additions and 1 deletion.
diff --git a/k8s/apps/homepage/blog/hugo/http-route.yaml b/k8s/apps/homepage/blog/hugo/http-route.yaml
@@ -18,4 +18,4 @@ spec:
             value: /
       backendRefs:
         - name: hugo
-          port: 80
+          port: 80
diff --git a/k8s/infra/auth/authelia/kustomization.yaml b/k8s/infra/auth/authelia/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: authelia
+
+resources:
+  - ns.yaml
+
+helmCharts:
+  - name: authelia
+    repo: https://charts.authelia.com
+    releaseName: authelia
+    namespace: authelia
+    version: 0.9.5
+    valuesFile: values.yaml
diff --git a/k8s/infra/auth/authelia/ns.yaml b/k8s/infra/auth/authelia/ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authelia
diff --git a/k8s/infra/auth/authelia/values.yaml b/k8s/infra/auth/authelia/values.yaml
@@ -0,0 +1,60 @@
+image:
+  registry: ghcr.io
+  repository: authelia/authelia
+  tag: 4.38.10 # renovate: docker=ghcr.io/authelia/authelia
+  pullPolicy: IfNotPresent
+
+configMap:
+  theme: 'dark'
+
+  access_control:
+    # upgrade to 'two_factor' later
+    default_policy: 'one_factor'
+    rules:
+     - domain_regex: '^.*\.stonegarden.dev$'
+       policy: 'one_factor'
+
+  authentication_backend:
+    ldap:
+      enabled: true
+      implementation: 'lldap'
+      address: 'ldap://lldap.lldap.svc.cluster.local'
+      base_dn: 'DC=stonegarden,DC=dev'
+      additional_users_dn: 'OU=people'
+      # To allow sign in both with username and email, one can use a filter like
+      # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
+      users_filter: '(&({username_attribute}={input})(objectClass=person))'
+      additional_groups_dn: 'OU=groups'
+      groups_filter: '(member={dn})'
+      user: 'UID=admin,OU=people,DC=stonegarden,DC=dev'
+      password:
+        secret_name: 'lldap-auth'
+        value: 'password'
+
+#    file:
+#      enabled: true
+
+  session:
+    cookies:
+      - subdomain: auth
+        domain: stonegarden.dev
+
+  storage:
+    postgres:
+      enabled: false
+      address: 'tcp://postgres.databases.svc.cluster.local:5432'
+    # Switch to Postgres later
+    local:
+      enabled: true
+
+  notifier:
+    filesystem:
+      enabled: true
+
+secret:
+  additionalSecrets:
+    lldap-auth:
+      items:
+        - key: 'password'
+          path: 'authentication.ldap.password.txt'
+
diff --git a/k8s/infra/auth/lldap/svc.yaml b/k8s/infra/auth/lldap/svc.yaml
@@ -11,3 +11,6 @@ spec:
     - name: web
       port: 80
       targetPort: web
+    - name: ldap
+      port: 389
+      targetPort: ldap
diff --git a/k8s/infra/auth/project.yaml b/k8s/infra/auth/project.yaml
@@ -9,6 +9,8 @@ spec:
   destinations:
     - namespace: 'argocd'
       server: '*'
+    - namespace: 'authelia'
+      server: '*'
     - namespace: 'keycloak'
       server: '*'
     - namespace: 'lldap'